[Fedora-directory-commits] ldapserver/ldap/servers/plugins/memberof memberof.c, 1.3, 1.4

Nathan Kinder (nkinder) fedora-directory-commits at redhat.com
Fri Mar 28 21:45:54 UTC 2008 

Author: nkinder

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24900

Modified Files:
	memberof.c 
Log Message:
Summary: Avoid adding a group as a memberOf itself.
Resolves: 439450



Index: memberof.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- memberof.c	28 Mar 2008 20:45:22 -0000	1.3
+++ memberof.c	28 Mar 2008 21:45:52 -0000	1.4
@@ -946,6 +946,27 @@
 	}
 	/* continue with operation */
 	{
+		Slapi_Value *to_dn_val = slapi_value_new_string(op_to);
+		Slapi_Value *this_dn_val = slapi_value_new_string(op_this);
+
+		/* We want to avoid listing a group as a memberOf itself
+		 * in case someone set up a circular grouping.
+		 */
+		if (0 == memberof_compare(&this_dn_val, &to_dn_val))
+		{
+			slapi_log_error( SLAPI_LOG_PLUGIN,
+				MEMBEROF_PLUGIN_SUBSYSTEM,
+				"memberof_modop_one_r: not processing memberOf "
+				"operations  on self entry: %s\n", this_dn_val);
+			slapi_value_free(&to_dn_val);
+			slapi_value_free(&this_dn_val);     
+			goto bail;
+		}
+
+		/* We don't need the Slapi_Value copies of the DN's anymore */
+		slapi_value_free(&to_dn_val);
+		slapi_value_free(&this_dn_val);
+
 		if(stack && LDAP_MOD_DELETE == mod_op)
 		{
 			if(memberof_is_legit_member(pb, group_dn, 
@@ -1012,20 +1033,12 @@
 
 		if(LDAP_MOD_ADD == mod_op)
 		{
-			Slapi_Value *to_dn_val = slapi_value_new_string(op_to);
-			Slapi_Value *this_dn_val = slapi_value_new_string(op_this);
-
 			/* If we failed to update memberOf for op_to, we shouldn't
-			 * try to fix up membership for parent groups.  We also want
-			 * to avoid going into an endless loop if we've hit a
-			 * circular grouping. */
-			if ((rc == 0) && (0 != memberof_compare(&this_dn_val, &to_dn_val))) {
+			 * try to fix up membership for parent groups. */
+			if (rc == 0) {
 				/* fix up membership for groups that are now in scope */
 				memberof_add_membership(pb, op_this, op_to);
 			}
-
-			slapi_value_free(&to_dn_val);
-			slapi_value_free(&this_dn_val);
 		}
 	}

More information about the Fedora-directory-commits mailing list